Open dbosk opened 7 years ago
To test the designed password policies (#5), we can use the passwords from leaked databases (Rockyou, LinkedIn, Dropbox, ...), select the passwords that fulfil the policy and see what effects it has on the distribution.
We cannot evaluate password policies using the leaked passwords databases, because the [Kelley2012] paper concludes that it doesn't make a good evaluation: passwords created under a different policy but which fulfils another policy, tends to be stronger than the representative.
Session 1: Students discuss the papers they've read. They are divided into groups and should design a password policy and how to evaluate it. They present this by the end of the session.
Session 2: For this session they have performed their evaluation and now they present and discuss the results.
Perhaps it's better that they design general user authentication and do it well from the beginning. Requiring them to work with passwords is requiring them to do as best they can with something already bad.
Password guessing in its own right is not particularly interesting. The interesting ILOs come from the pwdpolicies seminar right now. However, the pwdguess lab is an interesting tool, thus it can be included in the seminar instead: something along the lines of using it to evaluate policies.
The seminar should also be steered more towards exploring, applying and evaluating research related to passwords security.